Professional Documents
Culture Documents
Utilization of Whitelisting With Mcafee Application Control in A Pcs 7-/ Wincc Environment
Utilization of Whitelisting With Mcafee Application Control in A Pcs 7-/ Wincc Environment
Utilization of Whitelisting
with McAfee Application
Control in a PCS 7- / WinCC
environment
SIMATIC PCS 7 and WinCC
https://support.industry.siemens.com/cs/ww/en/view/88653385
Warranty and liability
Note The Application Examples are not binding and do not claim to be complete with
respect to the configuration, equipment and any eventualities. The Application
Examples do not represent customer-specific solutions. They are only intended
to provide support for typical applications. You are responsible in ensuring that
the described products are correctly used. These Application Examples do not
relieve you of the responsibility to use safe practices with respect to application,
installation, operation and maintenance. When using these Application
Examples, you acknowledge that we cannot be made liable for any
damage/claims beyond the liability clause described. We reserve the right to
make changes to these Application Examples at any time without prior notice.
If there are any deviations between the recommendations provided in these
Application Examples and other Siemens publications – e.g. catalogs – the
contents of the other documents have priority.
We do not accept any liability for the information contained in this document.
Any claims against us – for whatever legal reason – resulting from the use of the
examples, information, programs, engineering and performance data etc.,
described in this Application Example shall be excluded. Such an exclusion shall
not apply in case of mandatory liability, e.g. under the German Product Liability Act
Siemens AG 2018 All Rights Reserved
Security Siemens offers products and solutions with industrial security functions, which
infor- support the secure operation of systems, solutions, machines, devices and/or
mation networks. They are important components of a holistic Industrial Security
Concept. The Siemens products and solutions undergo continuous development
with this concept in mind. Siemens recommends to stay informed about product
updates on a regular basis.
For the safe operation of products and solutions from Siemens, it is necessary to
take suitable protective measures (e.g. cell protection concept) and to integrate
each component into an overall IT security concept which corresponds to the
state-of-the-art IT technology. Any third-party products that may be in use must
also be taken into account. You will find more information about Industrial
Security under http://www.siemens.com/industrialsecurity.
Please register for our product-specific newsletter to ensure that you will always
be informed about product updates. Detailed technical information can be found
at http://support.automation.siemens.com.
Table of contents
Warranty and liability ................................................................................................... 2
1 Preface ................................................................................................................ 4
2 Whitelisting ........................................................................................................ 5
2.1 Introduction ........................................................................................... 5
2.2 McAfee Application Control .................................................................. 6
3 Compatibility ...................................................................................................... 7
4 Administration ................................................................................................... 8
4.1 General procedure ............................................................................... 8
4.2 Local administration of McAfee Application Control ............................. 8
4.3 Central administration via McAfee ePolicy Orchestrator Server
(ePO) .................................................................................................... 9
5 Use of McAfee Application Control with PCS 7 and WinCC ....................... 10
5.1 Installation preparations ..................................................................... 10
5.2 Installation and Configuration ............................................................. 11
5.2.1 Local administration ........................................................................... 11
5.2.2 Central administration via ePO .......................................................... 13
6 Update installation ........................................................................................... 14
6.1 Local administration ........................................................................... 15
Siemens AG 2018 All Rights Reserved
1 Preface
Purpose of the entry
This entry describes the installation, utilization, and recommended settings for
McAfee Application Control (component of the McAfee Integrity Control product) in
the SIMATIC PCS 7 and WinCC environment.
NOTICE Please note that McAfee Integrity Control only releases the functionality of the
whitelisting (McAfee Application Control) for certain product versions of SIMATIC
PCS 7 and WinCC.
More information is available on the Internet at:
https://www.siemens.com/kompatool
Required knowledge
This documentation is intended for persons involved in project planning,
commissioning and servicing of automation systems using SIMATIC PCS 7 or
WinCC.
Copyright Siemens AG 2018 All rights reserved
Validity
This documentation applies for process control systems that are realized with
SIMATIC PCS 7 or WinCC.
It applies across versions, valid starting with PCS 7 V6.1 SP4 and WinCC starting
with V7.0 SP1.
2 Whitelisting
2.1 Introduction
The utilization of whitelisting technologies in a process control system is only
effective when they are part of a comprehensive security concept. The sole use of
whitelisting technologies cannot comprehensively protect a process control system
against malware attacks.
As a matter of principle, we therefore recommend adhering to the Security Concept
PCS 7 / WinCC and PCS 7 Compendium Part F, which are available on the
Internet via the following link:
http://support.automation.siemens.com
system.
The principle of whitelisting is the exact opposite of blacklisting, which works with
a list of "non-trustworthy" applications (negative list = blacklist). An example for
blacklisting is a conventional virus scanner, which works with a blacklist, the virus
patterns. Since the number of "non-trustworthy" applications increases constantly,
this blacklist must be adjusted on a regular basis. This means for example that the
current blacklist (virus patterns) must be available for the virus scanner at all times.
The virus scanner can only recognize applications as malware when they are listed
on this blacklist.
Since whitelisting works with a positive list, a constant adaptation to new threats in
the form of malware is not necessary. This minimizes the administration and
updating expense.
3 Compatibility
An overview of which version of SIMATIC PCS 7 and WinCC is compatible with
which versions of McAfee Application Control can be found on the following
website:
http://www.siemens.com/kompatool
Copyright Siemens AG 2018 All rights reserved
4 Administration
The administration of McAfee Application Control can be carried out in different
ways:
Locally on a computer system (standalone)
Centrally via the administration software McAfee ePolicy Orchestrator (ePO)
The decision concerning local or central administration should be made based on
the number of systems that are to be maintained. Similarly to an Active Directory
domain, the central administration should be used starting with about 10 systems
that require administration.
enters them in the whitelist. The duration of this procedure depends on the
data volume and the performance of the computer and can last several hours.
With up-to-date hardware, this should last about 20-30 minutes.
3. Activation of McAfee Application Control
4. Computer restart
All executable files that were found during the scan (exe, com, dll, bat, etc.) are
now protected against modifications (renaming, deletion, moving within the file
path, etc.). From this point on, new and therefore for the system unknown
applications can no longer be executed.
NOTICE McAfee ePO must not be installed on a SIMATIC PCS 7 or WinCC computer or
Copyright Siemens AG 2018 All rights reserved
Installation procedure
For the local installation of McAfee Application Control on a computer system,
proceed as follows:
1. Execute the operating system-specific setup for McAfee Application Control
and follow the instructions of the installation program. All default settings can
be accepted. No changes or adjustments are necessary.
2. Open the McAfee Application Control command line via
Copyright Siemens AG 2018 All rights reserved
"Start > Programs > McAfee > Solidifier > McAfee Solidifier command line“
3. Execute the "Solidify" command for all hard drives and partitions
To do so, enter the following command on the solidify her command line:
All partitions and local hard drives of the computer system will be scanned for
executable files (applications) such as for example exe, com, bat, dll. etc.,
but also for Java, Active X control elements, scripts, etc. Files found during
the scan will be signed by McAfee Application Control for future use and will be
authorized and added to the whitelist. This also includes the protection against
a subsequent change such as e.g. deletion or renaming.
After the finalization of the "solidification", the Solidifier command line
indicates how many data files per partition or hard drive or scans were
scanned and how many files were authorized during this process.
4. After the "solidification", you must activate the McAfee Application Control.
To do so, enter the following prompt on the solidifier command line:
"sadmin enable"
Note The actual activation of the whitelisting via McAfee Application Control takes
place only after restarting the computer.
6. After the restart you can query the current status of the whitelisting by entering
the following prompt on the solidifier command line:
"sadmin status"
"sadmin passwd".
6 Update installation
Only authorized applications can be executed on a computer protected by McAfee
Application Control. However, under certain circumstances it becomes necessary
that new applications need be installed on a computer or that an update or hotfix
must be installed for existing and therefore authorized applications.
Examples for such a scenario:
Installation of Microsoft security updates or additional important updates as
part of a patch management
Installation of new, current virus patterns or the updating of the virus scan
engine
Installation of hotfixes/updates for SIMATIC products
Subsequent installation of diagnostic tools
The option that is most frequently used is the utilization of updating programs,
the so-called "Updaters".
"Updater" or programs with which already registered files can be changed without
additional administration from McAfee Application Control or new files can be
added to the "whitelist". This is necessary for example in order to upload Windows
updates via a WSUS patch server or to update the virus patterns of a virus
scanner.
The procedure depends on how you administrate the system.
NOTICE For security reasons, limit the list of updaters to the selection required for the
operation of the system.
"finetune.bat"
This batch file can be executed via the McAfee Application Control command line.
The self-explanatory script assists with the release of programs for updates, such
as for example Windows Update client. At the same time, updaters can be added
or removed with the following parameters and the respective designation of the
updater.
"add' or "remove"
NOTICE If Autologin and Autostart have been configured for SIMATIC PCS 7 or WinCC
systems, they must be deactivated prior to the restart.
"sadmin bu
Depending on the system centrally via the ePO through a task or locally on the
respective PC.
4. Installing of PCS 7 or WinCC update
5. Computer restart
6. Start the complete, updated PCS 7 or WinCC application
7. Activate the Autologin and Autostart if those have been deactivated previously
8. Terminating update mode of AC via
"sadmin eu'
Depending on the system centrally via the ePO through a task or locally on the
respective PC.
NOTE Please refer to the manufacturer's instructions to learn how to disable the
function:
8 History
Table 8–1
Version Date Change
V1.0 02/2014 First edition
V1.1 12/2014 Chapter “Special characteristics for PCS 7 and WinCC”
V1.2 07/2018 Adding the chapter "Simultaneous use of Symantec
Endpoint Protection and McAfee Application Control"
Copyright Siemens AG 2018 All rights reserved